Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎08-11-2009 03:33 PM Edited on ‎02-09-2024 05:24 AM By Community Manager

Article Id 193828

Forwarding Multicast traffic without Multicast policies on a Fortigate in Transparent mode

Description
When FortiGate firewalls are deployed in transparent mode, there is often a need to have Multicast traffic forwarded through the device.  Traffic such as routing protocols or streaming media, may need to traverse a Transparent mode FortiGate, with the FortiGate not interfering in this communication.
Scope
FortiGate or VDOM running in Transparent mode. 
Solution

In a scenario such as the one described below, Multicast traffic must traverse a Transparent mode FortiGate unimpeded.  The FortiGate will not alter this traffic, as it is not in Nat mode, and will only pass it on.

Fortinet recommends that the FortiGate is set up using Multicast policies.  This allows for greater control and predictability on traffic behavior.  However Multicast traffic may be forwarded through a transparent mode device using the multicast-skip-policy setting.

Example Transparent mode FortiGate deployment

sotoole_FD30803_Tp deployment.jpg





The example which follows show this setting enabled in Root VDOM.

 

fortigate(root) # config system settings
# set multicast-skip-policy enable
#end
To disable this feature the disable key word can be used, also followed with end
#set multicast-skip-policy disable
A per-VDOM setting was introduced in 3.00 MR3.  Prior to that it was in "config system global" and called "tp-mc-skip-policy".  That was added in 3.00.  If a packet ingresses on port X, then the initial candidate egress ports are chosen depending on the type of the traffic and what existing MAC bindings the FortiGate has in forwarding table. 
 
The candidate ports may be a single port (if we already have a MAC binding), it may be a subset of the ports (if we have a forward domain) or it may be all the ports.
 
For each candidate port Y we want to determine if traffic is allowed from X to Y.  If skip is enabled then X->Y traffic is allowed.  If skip is disabled then the Multicast policy is checked to see if traffic X->Y is allowed.

 

 

 

 

In order to use Multicast Policies correctly this "skip" option must remain Disabled.  Please consult Fortinet documentation on best practices when using Transparent mode, and for examples of the proper use of Multicast Policies.

 

Related Articles

Technical Note: Configuration best practice and troubleshooting tips for a FortiGate in Transparent ...

Technical Note: Transparent mode Layer-2 Ethernet issues with 3rd party load balancing clusters

6284
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.